#!/bin/sh set -eu # Remove leftover files find /tmp/ /run/ -mindepth 1 -delete ||: # Add GPU devices groups to additional groups for dev in /dev/dri/*; do [ -c "${dev:?}" ] || continue gid=$(stat -c '%g' "${dev:?}") uug=${UNPRIVILEGED_USER_GROUPS?} UNPRIVILEGED_USER_GROUPS="${uug:+${uug:?},}${gid:?}" done # Create additional groups _IFS=${IFS}; IFS=, for gid in ${UNPRIVILEGED_USER_GROUPS?}; do if ! getent group "${gid:?}" >/dev/null 2>&1; then groupadd --gid "${gid:?}" "g_${gid:?}" fi done IFS=$_IFS # Create unprivileged user and group if ! getent group "${UNPRIVILEGED_USER_GID:?}" >/dev/null 2>&1; then groupadd --gid "${UNPRIVILEGED_USER_GID:?}" "${UNPRIVILEGED_USER_NAME:?}" fi if ! getent passwd "${UNPRIVILEGED_USER_UID:?}" >/dev/null 2>&1; then useradd \ --uid "${UNPRIVILEGED_USER_UID:?}" \ --gid "${UNPRIVILEGED_USER_GID:?}" \ --groups "${UNPRIVILEGED_USER_GROUPS?}" \ --shell "${UNPRIVILEGED_USER_SHELL:?}" \ --home-dir "${UNPRIVILEGED_USER_HOME:?}" \ --create-home \ "${UNPRIVILEGED_USER_NAME:?}" fi # Set unprivileged user password if [ -n "${UNPRIVILEGED_USER_PASSWORD?}" ]; then printf '%s' "${UNPRIVILEGED_USER_NAME:?}:${UNPRIVILEGED_USER_PASSWORD:?}" | chpasswd else passwd -d "${UNPRIVILEGED_USER_NAME:?}" fi if [ -w "${UNPRIVILEGED_USER_HOME:?}" ]; then # Copy /etc/skel/ to unprivileged user home if certain files do not exist if [ ! -e "${UNPRIVILEGED_USER_HOME:?}"/.profile ]; then cp -aT /etc/skel/ "${UNPRIVILEGED_USER_HOME:?}" ||: find /etc/skel/ -mindepth 1 -exec sh -c 'chown "$1:" "$2/${3#/etc/skel/}"' _ "${UNPRIVILEGED_USER_NAME:?}" "${UNPRIVILEGED_USER_HOME:?}" '{}' ';' fi # Set unprivileged user home permissions if [ "$(stat -c '%u' "${UNPRIVILEGED_USER_HOME:?}")" != "${UNPRIVILEGED_USER_UID:?}" ]; then chown "${UNPRIVILEGED_USER_NAME:?}:" "${UNPRIVILEGED_USER_HOME:?}" fi if [ "$(stat -c '%a' "${UNPRIVILEGED_USER_HOME:?}")" != '750' ]; then chmod 750 "${UNPRIVILEGED_USER_HOME:?}" fi fi # Create /run/user/${UNPRIVILEGED_USER_UID}/ directory if it does not exist if [ ! -d /run/user/"${UNPRIVILEGED_USER_UID:?}"/ ]; then mkdir -p /run/user/"${UNPRIVILEGED_USER_UID:?}"/ chmod 700 /run/user/"${UNPRIVILEGED_USER_UID:?}"/ chown "${UNPRIVILEGED_USER_NAME:?}:" /run/user/"${UNPRIVILEGED_USER_UID:?}"/ fi # Disable glx module if /dev/dri/ does not exist if [ ! -d /dev/dri/ ]; then printf '%s\n' '"/dev/dri/" does not exist, glx module will be disabled' 1>&2 sed -i 's|Load \("glx"\)|Disable \1|g' /opt/xrdp/etc/X11/xrdp/xorg.conf fi # Enable xrdp bootstrap service if [ "${SERVICE_XRDP_BOOTSTRAP_ENABLED:?}" = 'true' ] && [ ! -L "${SVDIR:?}"/xrdp-bootstrap ]; then ln -s /etc/sv/xrdp-bootstrap "${SVDIR:?}" fi # Enable headless X server service if [ "${SERVICE_XORG_HEADLESS_ENABLED:?}" = 'true' ] && [ ! -L "${SVDIR:?}"/xorg-headless ]; then ln -s /etc/sv/xorg-headless "${SVDIR:?}" fi # Generate SSH keys if they do not exist if [ ! -f /etc/ssh/ssh_host_ed25519_key ]; then ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N '' >/dev/null fi if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N '' >/dev/null fi # Generate xrdp RSA keys if they do not exist if [ ! -f "${XRDP_RSAKEYS_PATH:?}" ]; then mkdir -p "$(dirname "${XRDP_RSAKEYS_PATH:?}")" (umask 077 \ && xrdp-keygen xrdp "${XRDP_RSAKEYS_PATH:?}" \ ) >/dev/null fi # Generate RDP certificate if it does not exist if [ ! -f "${XRDP_TLS_KEY_PATH:?}" ] || [ ! -f "${XRDP_TLS_CRT_PATH:?}" ]; then FQDN=$(hostname --fqdn) mkdir -p "$(dirname "${XRDP_TLS_KEY_PATH:?}")" (umask 077 \ && openssl ecparam -genkey -name prime256v1 > "${XRDP_TLS_KEY_PATH:?}" \ ) >/dev/null mkdir -p "$(dirname "${XRDP_TLS_CRT_PATH:?}")" (umask 022 \ && openssl req -x509 -sha256 -days 3650 -subj "/CN=${FQDN:?}" -addext "subjectAltName=DNS:${FQDN:?}" -key "${XRDP_TLS_KEY_PATH:?}" > "${XRDP_TLS_CRT_PATH:?}" \ ) >/dev/null fi # Print RDP certificate fingerprint openssl x509 -in "${XRDP_TLS_CRT_PATH:?}" -noout -fingerprint -sha1 openssl x509 -in "${XRDP_TLS_CRT_PATH:?}" -noout -fingerprint -sha256 # Dump environment variables env | grep -Ev '^(PWD|OLDPWD|HOME|USER|SHELL|TERM|([^=]*(PASSWORD|SECRET)[^=]*))=' | sort > /etc/environment # Start runit exec runsvdir -P "${SVDIR:?}"